# -----------------------------------------------------------------------------------------------------------
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------

# Configure HTTP settings
http-settings
set timeout {{ default 30 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
{{if .W3AF_BASIC_AUTH_DOMAIN }}
set basic_auth_domain {{ .W3AF_BASIC_AUTH_DOMAIN }}
{{end}}
{{ end }}
back

# Configure scanner global behaviors
misc-settings
set max_discovery_time {{ default 10 .W3AF_MAX_DISCOVERY_TIME }}
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back

profiles
use {{ default "audit_high_risk" .W3AF_PROFILE }}
back

plugins

# Configure rfi plugin
audit rfi
audit config rfi
set listen_address "0.0.0.0"
set listen_port 44449
set use_w3af_site True
back

{{ if .W3AF_AUTH_FORM_URL }}
# Configure target authentication
auth detailed
auth config detailed
set username '{{ .W3AF_AUTH_FORM_USERNAME }}'
set password '{{ .W3AF_AUTH_FORM_PASSWORD }}'
set method POST
set auth_url {{ .W3AF_AUTH_FORM_URL }}
set username_field '{{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}'
set password_field '{{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}'
set data_format '{{ default "%u=%U&%p=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}'
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
set check_string '{{ default "connected" .W3AF_AUTH_FORM_CHECK_STRING }}'
set follow_redirects True
back
{{end}}

{{ if .W3AF_AUTH_LOGOUT_URL_REGEX }}
crawl web_spider
crawl config web_spider
set ignore_regex {{ .W3AF_AUTH_LOGOUT_URL_REGEX }}
back
{{end}}


# Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file reports/report{{- if .W3AF_REPORT_SUFFIX -}}_{{- .W3AF_REPORT_SUFFIX -}}{{- end -}}.html
set verbose {{ default "False" .W3AF_VERBOSE }}
back

output config console
set verbose {{ default "False" .W3AF_VERBOSE }}
back
back

# Set target informations, do a cleanup and run the scan
target 
set target {{ .W3AF_TARGET_URL }}
set target_os {{ default "unix" .W3AF_TARGET_OS }}
set target_framework {{ default "unknown" .W3AF_TARGET_FRAMEWORK }}
back

back

cleanup
start
exit